Cyber security risk assessments provide a pivotal starting point towards the understanding of existing risk exposure, through which suitable mitigation strategies can be formed. Where risk is viewed as a product of threat, vulnerability, and impact, understanding each element is of equal importance. This can be a challenge in Industrial Control System (ICS) environments, where adopted technologies are typically not only bespoke, but interact directly with the physical world. To date, existing vulnerability identification has focused on traditional vulnerability categories. While this provides risk assessors with a baseline understanding, and the ability to hypothesize on potential resulting impacts, it is high level, operating at a level of abstraction that would be viewed as incomplete within a traditional information system context. The work presented in this paper takes the understanding of ICS device vulnerabilities one step further. It offers a tool, PLC-VBS, that helps identify Programmable Logic Controller (PLC) vulnerabilities, specifically within logic used to monitor, control, and automate operational processes. PLC-VBS gives risk assessors a more coherent picture about the potential impact should the identified vulnerabilities be exploited; this applies specifically to operational process elements.
翻译:网络安全风险评估为了解现有风险暴露提供了关键的起点,通过这种评估可以形成适当的缓解战略。当风险被视为威胁、脆弱性和影响的结果时,理解每个要素都具有同等重要性。这在工业控制系统环境中可能是一个挑战,因为采用的技术通常不单是言语的,而且与实际世界直接互动。到目前为止,现有的脆弱性识别侧重于传统的脆弱类别。虽然这为风险评估员提供了一个基线理解,并能够对可能产生的潜在影响进行假设,但风险评估员具有较高的水平,在一种抽象的层面上运作,在传统的信息系统范围内被视为不完整。本文件所述工作进一步理解了综合控制系统装置的脆弱性。它提供了一种工具,即PLC-VBS,帮助确定可编程的逻辑控制、自动操作流程的脆弱性。PLC-VBS向风险评估员提供了在发现的脆弱性被利用的情况下对潜在影响的更一致的情景;这具体适用于操作流程要素。